Articles by jaredj

I'm presently running an assortment of virtual machines on my desktop
using Fedora, KVM, and libvirt. I did this because I wanted one of my
virtual machines to have real video cards, and Fedora had a new enough
kernel at the time to just barely be able to do this …

To build 4store on FreeBSD, of course you need Raptor, Redland and
Rasqal: pkg install redland. And the autotools: pkg install autoconf
automake libtool. Git to check it out: pkg install git. You need glib,
and libxml if you don't have it already. readline, for some
reason. And ossp-uuid, without …

The editor caper continues, kind-of. I'm pretty settled on
xah-fly-keys now, although it still doesn't have C-k. I found out the
side arrow keys move you from search result to search result. This is
a jarring inconsistency with the ijkl keys. And in the few cases when
I've quickly dropped …

For twelve years or so, I used Vim. Then, at work, I decided to try
Emacs for the fifth time or so, and it stuck, particularly when I
managed to teach find-file-at-point how to find the file defining a
given Puppet class, when my cursor was on the class's name …

I have a router that runs LEDE. It has 115 firewall rules. I made
these by typing stanzas of about eight lines each into a file
/etc/config/firewall. Not great, not bad. I've already held forth on this some. But now the
path of least resistance for deploying web …

The Bubble Babble encoding, due to Antti
Huima, was invented in 2000. It has six vowels and seventeen
consonants, and checksums built in so you can tell whether a purported
Bubble Babble string is valid or not. A Bubble Babble string always
begins and ends with 'x'. This encoding is …

FreeBSD jails are not nearly so glamorous as OCI/Docker
containers. FreeBSD jail statically assigned IP addresses are not
nearly so glamorous as CNI. But it's been like one week and I have a
PHP/MySQL app up inside a FreeBSD jail with IPv6, where it took me
three weeks …

It seems after all that my LEDE upgrade didn't work flawlessly. I
suddenly lost all of my IPv6 addresses (except the link-local ones,
natch). I've just quelled this rebellion by disabling odhcpd and using
dnsmasq-full to serve stateless DHCPv6 (Android does not support
stateful DHCPv6).

I decided I needed to use DHCPv6 to get the IPv6 address for my
container, so that if dnsmasq served the address it could update its
DNS (one nice thing it does), and I could at least get to my container
using a DNS name inside my own network, if …

I've learned a few things. First, a firewall misconfiguration was
partly to blame. Second, neither Alpine's nginx package, nor netcat as
found in Debian, appear to support IPv6. The dhcp daemon can be
written into a systemd unit; I haven't done it yet. DNS updates might
happen if I were …

So http://securityrules.info/ is still around, and highly trafficked
by search engine bots—bingbot, Googlebot, AhrefsBot, Baiduspider,
MJ12Bot and BLEXBot. Real people appear to have fetched around 15,000
pages of information about security rules in the past month—around
20 hits per hour on average.

So the macvlan networking doesn't appear to work for me in the way I
had hoped. What I imagined CNI would get me was that each one of my
containers would get its own autoconfigured IPv6 address, and it would
be some Small Matter of Programming to get those addresses …

Containers are real neat. I like how you can build a single thing that
contains a hunk of an application, and deploy both the initial version
and follow-on updates quickly. Containers are very easy to deploy to
any of a panoply of public clouds, but I want to host web …

I grew up with Commodore BASIC, command.com, and bash. Somewhere in
there I found Plan 9. A bit of Cisco. A bit of Solaris (sh,
csh). Emacs for the last five or six years. In the past couple of
years at work I've begun using Powershell a great deal …

darbrrb is
well-developed and well-tested. I've made several backups with it. But
I've grown frustrated with how serial it is. I decided early on to
make it as simple as I could: it calls dar (so to be able to write
down exactly how dar was called inside the backup …

So my router runs OpenWRT, and its configuration is complicated enough
that I can't easily capture it all in one place, nor set up a new blank
router to do its job if need be. There are packages to install, UCI
settings to set, configuration files to put in place …

I'm annoyed at the app-centric world that most people live in nowadays.
The FSF wants my help in protesting the
Hollyweb,
and Dave Winer and Hossein Derakhshan are on about the web we have to
save
("Log in to Medium to recommend this story!"). I've been annoyed for a
long …

I looked in the source of parchive (which is only like 3500 lines of
code to par2cmdline's 13500 or so) and didn't find any evidence of the
flawed math that was in the original RS tutorial. I don't think parchive
is flawed at this point.

Upon reading a few more papers, I find that the reason people only
simulate turbo codes in software is because decoding them is so
computationally difficult that for the applications they are used in
(phones and TVs) people make custom silicon or write programs for DSPs
in order to decode …

I've done some reading about various kinds of codes (thanks again,
Wikipedia). I've found that while Reed-Solomon is a good code, it takes
a lot of computation to encode as compared to some others. Most
interestingly, turbocodes seem faster and the patent on them just
expired in 2013. They are …

In 2013, I wrote darbrrb
to make redundant backups onto optical media using dar and par2. After
some testing I found par2 was so slow that backing up my files (a couple
of hundred gigabytes) would take more than a week, not counting the time
it takes to burn each …

I've worried a lot lately rather than coding. I haven't got that much
time to do either of them, so it's important to make sure that the
coding I do helps people or has lasting merit. Or at least it seems like
that.

I've moved the font customizations I made for this blog into a child
theme, after learning that Wordpress has these things called child
themes, and after a Wordpress upgrade took out the changes I had made in
an ad-hoc fashion. The GitLab
repo.

I've moved to Pittsburgh, and obtained a job at Peoples Natural Gas as a
cybersecurity analyst. This is so far rather less focused on the details
of compliance on individual hosts, and more on the whole organization,
the whole networks, people, and the policies people follow. This may
mark a …

While reading the code of par2cmdline (a month ago or something), I
think I apprehended that the number of input files and the number of
slices for the Reed-Solomon calculations are linked quite closely, and
that perhaps this was why the PAR2 file format moved to using 16-bit
Galois fields …

I wrote Shaney
(history)
to parse important elements out of hundreds of text files (Puppet source
code and LaTeX), and produce interesting content out of them, writing it
into dozens of other text files (LaTeX). Now I'm trying to do much the
same thing for
snailcrusader, but not
reading only …

Katello helps you create local Yum and Puppet
repositories, obtain updates to packages in these repositories, and make
the updates available in a controlled fashion. It's also hooked into
Foreman for provisioning.
Landscape
seems to do similar things for Ubuntu.

Configuration Management for Information Technology Systems (CMITS) is a
melding of Puppet, LaTeX and my own scripts that makes compliance with
hundreds of security requirements maintainable for me at work. And I've
obtained permission to release it. The initial release is made at
https://github.com/afseo/cmits, in the …

I built Firefox OS (or Boot2Gecko; are they still calling it that when
it doesn't come straight from Mozilla?) for my Nexus 4 phone. It boots
fast, it runs well, and I used it for a couple of days. It's a great
piece of software and …

So Acme exposes its
windows and their contents through 9P. You can easily extend it by
writing programs that mess around with the files it serves. Very neat
idea. Now Inferno also has a lot built on 9P, but it uses Tk for its GUI
widgets. I get it, Tk …

I've worked a lot with OpenWRT lately, making it do things I've never
made it do before, like provide IPv6 prefixes to downstream routers,
consume IPv6 prefixes from upstream routers, block all traffic by
default, and provide real, not-local-only IPv6 addresses to a management
network without promising to route traffic …

I've recently read about secret-sharing protocols, where by means of
mathematics some secret bits can be distributed among some number of
people such that reconstructing the secret requires some size of quorum.
For example, say I've built a successful drink company. The recipe for
the drink is of course secret …

When first released,
sagemincer was slow.
Like, thirty seconds to load a page slow. After a bunch of changes, now
it's fast enough to be far prouder of. Also I got a new domain for it,
securityrules.info.

If you've been reading my Compliance at Home series, you'll know that
the DoD releases security guidance in the form of STIGs. They're
downloadable as ZIP files, which contain ZIP files, which contain
checklists written in XCCDF, and stylesheets that can turn the XCCDF
document into HTML. So if I …

I've been learning about Linked Data
lately, along with other related concepts like RDF, RDFS, OWL, and
SPARQL, and having a lot of fun with it. I think it's quite promising,
which is a silly statement to make because it's already doing a lot of
work for many people: it's …

1. Dave and Gunnar had a whole podcast episode about SCAP. I grudgingly
feel that it is cooler than I thought. The SCAP Security Guide project
in particular sounds like it is involving people from outside the
security area of expertise …

I like smartcards. They can be quite secure, and they are simple to use,
given all the right hardware and software. But to buy a small quantity
of ISO 7816 smartcards seems quite expensive, compared to buying some
microcontroller chips that purport to fill some of the same functions.
Smartcards …

Last time I shared my doubts about the applicability of the way security
configuration is being done to home administrators. So what do I think
we should all be doing instead of what NIST and DISA think we should be
doing?

These things: Describe security-related system configuration changes
using languages …

Last time I talked about the documents I've seen and used that contain
security requirements at various levels of detail, and I said I'd speak
more on what's being done to automate compliance, and what should be
done instead.

I'm much more cognizant of the need for secure configuration of
operating system software everywhere than I've ever been in my life—and
at no time in my life have I had less time to worry about securing my
home computers.

Reorg is my project to rejuvenate an electric organ from the 1970s as a
MIDI keyboard controller, overengineering everything along the way. It
lives in this Darcs repository.
The products of it so far are two printed circuit boards which look like
these: 1,
2.

Tails is a live DVD or thumbdrive image
based on Debian Live, which routes all
your network traffic while you are using it through the
Tor anonymity network. It's slick, it's
secure, but it's slow to boot.

Haiku is a desktop operating system inspired
by the BeOS. It's small, it's …

So this is the blog where I commune with my past and future selves. A
story: Once I filed an issue against a piece of software I had written,
about the need to redesign it to be orders of magnitude faster. That
ticket has over 100 comments, all from me …